Each of the instances reported to the Auditor of State’s Office involves a cybercriminal impersonating the superintendent or a principal of a school district. In each case, an email was sent to a payroll department employee asking that a change be made to the bank account linked to the superintendent’s or principal’s direct deposit. The payroll deposit then is directed to the criminal. The scam is identified only after the impersonated employee realizes he or she did not get paid. These scams are especially effective because the staff member involved believes he or she is dealing directly with a district or school official who has the authority to make such a request.

In addition to alerting the appropriate authorities if your district has experienced such an attack (whether successful or not), the Auditor of State’s Office encourages Ohio districts to:

educate staff on this type of scam and be on the lookout for any such activity;

evaluate the procedures in place for making changes to employees’ payroll bank accounts to ensure they are sufficient; and

consider implementing additional (non-email-based) verification steps before making any such changes.

Based on incidents reported on the K-12 Cyber Incident Map, this is good advice and all districts (within and beyond Ohio) would do well to consider it.